Ask yourself

Before you can apply these rules of design you must first consider the following questions:

What is this purpose of the document ?

What is the next step after this document ?

In fact†these questions can be asked about any document you need to produce in your career!

My Own Designs

I have produced my fair share of design document over the years and I decided to look back at some and ask the questions above. What I have found that in the introductions I don’t really state the purpose of the document very well. A typical example might be.

“This document†describes the detailed LAN design for site X and how it is connected to the WAN”

How lame is that !!!!!!

Now if I ask the questions above, then my opening gambit might have been more like:

“This documents†purpose†is to detail the design elements which make up the new LAN for site X and how the site will connect to the WAN. The design elements will break down into:

Physical Connectivity Component and Devices

The Layer 1 and 2 Topology

The Layer 3 Logical topology

The Layer 3 routing

Device†Security

The contents of this document will provide the “relevant” information to implement the design.”

From this I have set out a basic document structure and clearly defined what it will be used for.

Who will use it ?

Another thing that struck me recently after having designs past onto me for implementation and also looking back at my own designs. Could someone (not the designer) take the document and implement it with ease. Whether subconscious or not,††I have found that some of the necessary details get left in the designers head, therefore:

So when you are the designer, you must remember that the†implementer†will not have all the minor details that might be floating around your head, so make a conscious effort to consider the person who will picking up the document and have to implement it; try and get all the minor details into the design.

Summary

When writing design documents, especially detailed designs, consider the purpose of the document and state it clearly. More importantly consider the person who is going to have to implement it. With these thoughts running through your mind during the documents creation process then the receiver of the design document should have a better chance of implementing it, in a shorter time frame, with less interaction†required†with the designer.

Whether ’tis nobler in the network to suffer un-accelerated traffic during an outage or to take arms in the form of Policy Based Routing.

When you decide to†deploy†Citrix Branch Repeaters (CBR) you have to†deploy†at either end of the WAN to accelerate and compress traffic between these endpoints. Therefore it would seem sensible to have some resiliance in the design to at a minimum protect the hub in a hub and spoke topology.

Deployment Models

There are 3†deployment†models that I would consider, there are actually a few more available like proxy redirect, but it is not relvant to where I want to go in this post.

Inline mode ñ sits on the wire and accelerates traffic flowing between the Ethernet ports.

WCCP mode ñ we use WCCP to pull traffic towards the device. We can provide an active/standby solution.

Virtual Inline mode ñ The router sends the traffic to the WAN appliance (using PBR) and the appliance accelerates and sends it back to its default gateway.†We can provide an active/standby solution.

You should also be aware the CBR needs to accelerate the conversation from the start and cannot kick-in halfway through, therefore the longer the CBR has been offline the more conversations will be missed that cannot be†accelerated until the conversation is restarted.

Inline Mode

There are a few problems with this when thinking about†resilience.

As stated above CBR works in pairs at either end of the WAN and requires symetric routing, therefore you would have to ensure that data passes through Hub1 to Spoke1 and back from Spoke1 to Hub 1. Then you have to figure out how to do Hub1 to Spoke 2 and Spoke2 to Hub 1 or perhaps Hub2 to Spoke2 and Spoke 2 to Hub 2. Yes it gets messy!

If the system fails-open and leaves traffic un-accelerated and un-compressed for any†length†of time, you will have a performance hit on the WAN, most likely at the spoke site as this is typically where the bandwidth with be tune down to match the CBR accelerated traffic profile.

To replace the system you have to disconnect an inline connection which can always be problematic trying to arrange downtime.

I cannot see any simple way of providing†resiliency†if an appliance fails, albeit it fails open with no acceleration.

WCCP mode

This seem sensible at the outset, we use WCCP to forward to the CBR based on the WCCP requests from the CBR to the Router and this can be done with hardware switching (depending on the device) so it is fast.

Here is what you need to know about the CBR setup with WCCP when you deploy a pair of CBRs in HA mode for WCCP

They run as†Active/Standby.

There is no stateful†fail-over.

Packets once accelerated are return to the WCCP Router that sent them to the CBR.

At Fail-over, the Standby now†becoming†Active needs to negotiate WCCP with the router once VRRP has†failed-over.

In my testing on 3750-X I have seen this consistently take 90 seconds before WCCP is established and traffic is being accelerated again and this was with WCCP settings hardcoded on the CBR.

Virtual Inline Mode

This works very similar to WCCP, except rather than using WCCP to direct the traffic we use PBR to direct traffic to the CBR. The thing here is if a router can do WCCP in hardware then it is very likely to be able to do PBR in hardware, so from a†performance†perspective I cannot determine the advantage of WCCP.†Allegedly†the configuration on the router is simpler in WCCP, but here’s what you need to know.

They run as†Active/Standby.

There is no stateful†fail-over.

Packets once accelerated are sent to the CBR default gateway address.(This is the key difference to WCCP)

PBR can send to the VRRP address of the pair, therefore failover only takes as long as VRRP to switch over.

In my testing on 3750-X I have seen this take < 4 seconds before VRRP on the CBR has failed over and traffic is being accelerated again.

Conclusion

WCCP was developed by Cisco for redirecting and load-balancing web traffic across an array of web proxy servers and in version 2 has been expanded to work with other protocol. In this case the where load balancing is not an option due to the active/standby nature of the deployment scenario I can not †see a strong need for WCCP; in†addition†to this is the fact that your fail-over will take over 1 minute before it is†capable†of†accelerating†traffic again.

The advantage that WCCP has over PBR is that it will send the accelerated packets back to the originating routers, therefore if you have 2 WAN connection it can easily use both, where as the PBR solution is alway going to prefer a single router.

For me PBR seems like a more sensible choice for†deploying†CBR with†resilience†unless there is a need to balance the traffic load across multiple egress points.

I have been looking about for documentation on how to configure TACACS authentication with a Citrix Branch Repeater, however so far I have only been able to find documentation for NetScaler. So I have setup a LAB and decided to write the documentation myself.

For those who cannot be bothered to read this post there is a video link at the bottom of this post with a walkthrough.

Summary

I was not able to find any documentation on how to configure the Citrix Branch Repeater with Cisco’s TACACS+ so I have setup a lab and worked it out for myself. What I would say it that setting up EXEC mode and Priveledge 15 could break the way you currently logon to devices using TACACS+, so be careful.

I was intrigued and excited about the Junipers announcement last week of QFabric. I was vaguely aware of TRILL and Cisco implementation (Fabric Path), but came to the table (so to speak) with no pre-conceptions of what I might expect.

SCI-FI – Is this just me?

Is the Q in QFabric taken from sci-fi TV ? I canít help but wonder if the Q in QFabric is taken from Star Trek the Next Generation where Q appeared in the first show of the first season as the omnipotent life in control of everything and can transport anyone, anything anywhere in an instant (Interconnect). There is also a Borg like undertone of all these independent units(Nodes) acting as a single entity, under the control of the Borg Queen (Director). The qfx3500 being the drones (decision engines) which can adapt to Fibre Channel or Ethernet with the correct attachment.

Standout Points for Me

Single logical device: Despite its distributed implementation, QFabric acts as a single logical packet switching device.

QFabric implements virtual Layer 2 and Layer 3

During the announcement packet forwarding was described in such terms that you make a decision once about the destination for packet, not at each junction on network. If you could build out a datacentre using this QFabric and still have the ability to subdivide the network at layer 3 whilst taking full advantage of the low latency high bandwidth transport across your datacentre, then this is truly exciting.

I have to say I would be very surprised if this is in fact a case because the companies who do divide the network into service zones generally protect these with at least some access control list or perhaps even firewalls. †I just canít see how Juniper could maintain the low latency forwarding while performing these functions across the entire Fabric. I could imaging within a Node (Edge Device) doing inter VLAN routing, but not routing (packet switching ) to a† VLAN on another Node.

Single Logical Device

I just hope when Juniper say single logical device, they actually mean the network as a single entity and not just a bunch of independent network devices being viewed through a GUI to make them look like a single entity.

There edge nodes described QFX3500 during announcements seem to be fairly independent devices therefore what changes when they are tied into the QFabric, letís hope they become fully integrated into the fabric.

Summary

There were two key points on the Q fabric announcements that got me excited, Layer 3 and Single and Management instance, I just hope the ìsales talkî in the announcement does deliver on a technical level and that my excitement based on this does not turn into disappointment.

Easy peasy lemon squeezy

This seems a straightforward question! Just load up with advanced IP services license, install the license file and reboot the switch and you should be good to go. Well that’s what I thought until recently when I done the very steps above and on the surface seemed okay but I wanted to do some fancy layer 3 functionality then FAIL.

Everything seemed okay

I had EIGRP running, advertising several networks, receiving the default routes and from a routing perspective everything was fine. Now comes along our project to install a Citrix branch repeater where we were going to implement WCCP. Now looking through the documentation on the Cisco website and the Citrix website everything seemed straight forward. Just a few commands on the 3750-X and we should be able to use WCCP to redirect packets towards the Citrix repeater at layer 2. Indeed the Citrix repeater synchronised with the router under WCCP and all was looking super. I soon realised that there were no packets being sent to the Citrix repeater, configurations were †checked, re-checked, removed and re-applied. But apart from the odd packet being forwarded according to “show IP WCCP” it definitely was forwarding packets.

Now this points to the switch and database management not being in the correct mode. So hands up here I have not done much work with these type of switches, I suppose what was disappointing was the switch and did not †flag any errors during the configuration. In my defence I did not put the design together, therefore I did not do the research I would normally do when implementing new features. Having said that changing the SDM preferred mode does not exactly jump out of the documentation.

Unfortunately I was working in a live environment and did not have access to test lab so I had to back out the WCCP changes because to change the SDM preferred to “routing” would require a switch reboot and this could not be done without causing operational issues.

I am now trying to locate a 3750-X to test this theory but the†evidences†seems pretty conclusive that having the wrong preferred SDM is the source of my problem.

Summary

I have recently run into issues when WCCP would not work on what seemed a very simple configuration only to find that something fundamental in the 3750-X and other stackables Cisco switches that had been overlooked, the Switch Database Management Template (SDM). I hope if you read this article, you will not get tripped up too.